Inicio Explorar Axuda
Iniciar sesión
LBP
/
miniflux_v2
réplica de https://github.com/miniflux/v2.git
4
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: bf2ceded96
Ramas Etiquetas
miniflux_v2
/
ui
/
middleware.go

middleware.go 4.4 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 
  1. // Copyright 2018 Frédéric Guillot. All rights reserved.
    2. 

  2. // Use of this source code is governed by the Apache 2.0
    3. 

  3. // license that can be found in the LICENSE file.
    4. 

  4. 

  5. package ui // import "miniflux.app/ui"
    6. 

  6. 

  7. import (
    8. 

  8. 	"context"
    9. 

  9. 	"errors"
    10. 

  10. 	"net/http"
    11. 

  11. 

  12. 	"miniflux.app/config"
    13. 

  13. 	"miniflux.app/http/cookie"
    14. 

  14. 	"miniflux.app/http/request"
    15. 

  15. 	"miniflux.app/http/response/html"
    16. 

  16. 	"miniflux.app/http/route"
    17. 

  17. 	"miniflux.app/logger"
    18. 

  18. 	"miniflux.app/model"
    19. 

  19. 	"miniflux.app/storage"
    20. 

  20. 

  21. 	"github.com/gorilla/mux"
    22. 

  22. )
    23. 

  23. 

  24. type middleware struct {
    25. 

  25. 	router *mux.Router
    26. 

  26. 	store  *storage.Storage
    27. 

  27. }
    28. 

  28. 

  29. func newMiddleware(router *mux.Router, store *storage.Storage) *middleware {
    30. 

  30. 	return &middleware{router, store}
    31. 

  31. }
    32. 

  32. 

  33. func (m *middleware) handleUserSession(next http.Handler) http.Handler {
    34. 

  34. 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    35. 

  35. 		session := m.getUserSessionFromCookie(r)
    36. 

  36. 

  37. 		if session == nil {
    38. 

  38. 			if m.isPublicRoute(r) {
    39. 

  39. 				next.ServeHTTP(w, r)
    40. 

  40. 			} else {
    41. 

  41. 				logger.Debug("[UI:UserSession] Session not found, redirect to login page")
    42. 

  42. 				html.Redirect(w, r, route.Path(m.router, "login"))
    43. 

  43. 			}
    44. 

  44. 		} else {
    45. 

  45. 			logger.Debug("[UI:UserSession] %s", session)
    46. 

  46. 

  47. 			ctx := r.Context()
    48. 

  48. 			ctx = context.WithValue(ctx, request.UserIDContextKey, session.UserID)
    49. 

  49. 			ctx = context.WithValue(ctx, request.IsAuthenticatedContextKey, true)
    50. 

  50. 			ctx = context.WithValue(ctx, request.UserSessionTokenContextKey, session.Token)
    51. 

  51. 

  52. 			next.ServeHTTP(w, r.WithContext(ctx))
    53. 

  53. 		}
    54. 

  54. 	})
    55. 

  55. }
    56. 

  56. 

  57. func (m *middleware) handleAppSession(next http.Handler) http.Handler {
    58. 

  58. 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    59. 

  59. 		var err error
    60. 

  60. 		session := m.getAppSessionValueFromCookie(r)
    61. 

  61. 

  62. 		if session == nil {
    63. 

  63. 			if request.IsAuthenticated(r) {
    64. 

  64. 				userID := request.UserID(r)
    65. 

  65. 				logger.Debug("[UI:AppSession] Cookie expired but user #%d is logged: creating a new session", userID)
    66. 

  66. 				session, err = m.store.CreateAppSessionWithUserPrefs(userID)
    67. 

  67. 				if err != nil {
    68. 

  68. 					html.ServerError(w, r, err)
    69. 

  69. 					return
    70. 

  70. 				}
    71. 

  71. 			} else {
    72. 

  72. 				logger.Debug("[UI:AppSession] Session not found, creating a new one")
    73. 

  73. 				session, err = m.store.CreateAppSession()
    74. 

  74. 				if err != nil {
    75. 

  75. 					html.ServerError(w, r, err)
    76. 

  76. 					return
    77. 

  77. 				}
    78. 

  78. 			}
    79. 

  79. 

  80. 			http.SetCookie(w, cookie.New(cookie.CookieAppSessionID, session.ID, config.Opts.HTTPS, config.Opts.BasePath()))
    81. 

  81. 		} else {
    82. 

  82. 			logger.Debug("[UI:AppSession] %s", session)
    83. 

  83. 		}
    84. 

  84. 

  85. 		if r.Method == "POST" {
    86. 

  86. 			formValue := r.FormValue("csrf")
    87. 

  87. 			headerValue := r.Header.Get("X-Csrf-Token")
    88. 

  88. 

  89. 			if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
    90. 

  90. 				logger.Error(`[UI:AppSession] Invalid or missing CSRF token: Form="%s", Header="%s"`, formValue, headerValue)
    91. 

  91. 				html.BadRequest(w, r, errors.New("Invalid or missing CSRF"))
    92. 

  92. 				return
    93. 

  93. 			}
    94. 

  94. 		}
    95. 

  95. 

  96. 		ctx := r.Context()
    97. 

  97. 		ctx = context.WithValue(ctx, request.SessionIDContextKey, session.ID)
    98. 

  98. 		ctx = context.WithValue(ctx, request.CSRFContextKey, session.Data.CSRF)
    99. 

  99. 		ctx = context.WithValue(ctx, request.OAuth2StateContextKey, session.Data.OAuth2State)
    100. 

  100. 		ctx = context.WithValue(ctx, request.FlashMessageContextKey, session.Data.FlashMessage)
    101. 

  101. 		ctx = context.WithValue(ctx, request.FlashErrorMessageContextKey, session.Data.FlashErrorMessage)
    102. 

  102. 		ctx = context.WithValue(ctx, request.UserLanguageContextKey, session.Data.Language)
    103. 

  103. 		ctx = context.WithValue(ctx, request.UserThemeContextKey, session.Data.Theme)
    104. 

  104. 		ctx = context.WithValue(ctx, request.PocketRequestTokenContextKey, session.Data.PocketRequestToken)
    105. 

  105. 		next.ServeHTTP(w, r.WithContext(ctx))
    106. 

  106. 	})
    107. 

  107. }
    108. 

  108. 

  109. func (m *middleware) getAppSessionValueFromCookie(r *http.Request) *model.Session {
    110. 

  110. 	cookieValue := request.CookieValue(r, cookie.CookieAppSessionID)
    111. 

  111. 	if cookieValue == "" {
    112. 

  112. 		return nil
    113. 

  113. 	}
    114. 

  114. 

  115. 	session, err := m.store.AppSession(cookieValue)
    116. 

  116. 	if err != nil {
    117. 

  117. 		logger.Error("[UI:AppSession] %v", err)
    118. 

  118. 		return nil
    119. 

  119. 	}
    120. 

  120. 

  121. 	return session
    122. 

  122. }
    123. 

  123. 

  124. func (m *middleware) isPublicRoute(r *http.Request) bool {
    125. 

  125. 	route := mux.CurrentRoute(r)
    126. 

  126. 	switch route.GetName() {
    127. 

  127. 	case "login",
    128. 

  128. 		"checkLogin",
    129. 

  129. 		"stylesheet",
    130. 

  130. 		"javascript",
    131. 

  131. 		"oauth2Redirect",
    132. 

  132. 		"oauth2Callback",
    133. 

  133. 		"appIcon",
    134. 

  134. 		"favicon",
    135. 

  135. 		"webManifest",
    136. 

  136. 		"robots",
    137. 

  137. 		"healthcheck":
    138. 

  138. 		return true
    139. 

  139. 	default:
    140. 

  140. 		return false
    141. 

  141. 	}
    142. 

  142. }
    143. 

  143. 

  144. func (m *middleware) getUserSessionFromCookie(r *http.Request) *model.UserSession {
    145. 

  145. 	cookieValue := request.CookieValue(r, cookie.CookieUserSessionID)
    146. 

  146. 	if cookieValue == "" {
    147. 

  147. 		return nil
    148. 

  148. 	}
    149. 

  149. 

  150. 	session, err := m.store.UserSessionByToken(cookieValue)
    151. 

  151. 	if err != nil {
    152. 

  152. 		logger.Error("[UI:UserSession] %v", err)
    153. 

  153. 		return nil
    154. 

  154. 	}
    155. 

  155. 

  156. 	return session
    157. 

  157. }
    158.